.NET security development
Describes development problems, issues and other trivia in the .NET environemnt I run into while working
Localstart.asp is a default page on IIS installations. This page is protected by IIS using basic authentication. The problem with this is that if I am able to bruteforce the password, I know the password for the admin on the local box. This can be very bad since the attacker now knows the admin's password. If the box enables any network services, this is almost fatal. Even if this particular box does not have any network services, the attacker has an idea of how the admins is making up passwords....
We all know what a SSL cert is, right? Well then why are most certs so poorly implemented? I think the problem lies with most system administrators getting the cert at the last minute (when users report seeing an expired cert on the site) and sticking it in. Often though, several weak ciphers are allowed. I assume that everything below 128 bit encryption is a weak cipher (and hopfully you do too) Anyways, here are a few tools to check how the SSL encryption of your site looks to hackers: ServerSniff...
So a byte is a byte is a byte unless it is not! That in one sentence sums up my findings from yesterday. A byte in .NET represents a unsigned byte (0 - 255) automatically but a byte in Java is a signed byte(-128 - 127) and no there is no way to get an unsigned byte. I never really came across this problem till I was running some encryption algorithms on both. I need to encrypt a string in .NET and decrypt it on Java. For this I was converting the byte array into a hex string and asking users to enter...
I was very surprised to find that the .NET framework does not have an implementation of RC4. I read somewhere that .NET 2.0 will have access to RC4 but it is definetely not included in the 1.1 version. So I went out and found a good implementation of RC4. It is quite simple to use (I think) and has a simple function use. I could of course write one on my own but it is easier to reuse code and the license seems pretty liberal. Have fun! Oh and for those who really follow my blog, I am writing this...
Just thought I would throw in some stuff this weekeend about security. I was reading up at a coffee shop about the use of block ciphers, and situations in which they should not be used. Ran across this very interesting post from the security samurai. If you want to know when to use ECB verus CBC, this is important reading. HE aslo gives a .NET example of usin the Rjindael encryption schema! Have fun Personal moment: Dang! We are seeing the sun for the first time in a week(in the northeast) and I...
So here's a documented bug with ASP .NET 1.1 that microsoft accepts. The problem is when you have a postback control on a page and are using Server.Transfer along with it. I am trying to figure out a secure way to transfer variables between pages without pushing it down to the browser with encrypted cookies. The application is too sensitive to have any user data on the client side. Maybe I have to go back to the good old way of shoving stuff in the Database :( . Anybody have suggestions to mitigate...
I am currently not very tied up at work. After pushing the release "over the wall" post-sales support team head's words... not mine I have been enjoying a few days of not much work. A little testing here and there to make usre that everything is as is needed and wanted and fixing a few bugs. I am in a big quandry right now though. I would like to go out to the client site for the install along with the consultant guide. I fear two things, a) that the consultants are going to smirk at me (this I can...
I haven't really posted in a long time. It's been pretty hectic at work with testing and finally rolling out the release. There are two basic points that I would like to address in this post. One, a salute to release engineers and two, my thoughts on the development process.I was wearing one of my hats last week - release engineer. I have to say I appreciate the work that release engineers have to go through. In my naive "developer only" days - I thought that the release engineers had to take the...
I had a very busy last week. For those of you who were wondering what I was upto, I was in stage 2 testing and rollout. Stage 2 what? you say. Well, I like to call it Stage 2 testing and rollout because the developers have run it on their machines and a patched demo version is now working. The real integration and testing starts at Stage 2. All that I really do is make setup files for all the components and arrange them in CDs. Also, I check if there are any major holes in the system, aka show-stoppers....
I have an application that connects to the database on startup. This afternoon while trying to bring it up on a test machine, I ran into a funky problem. After modifying the database connection string, I got a SQL server not available message. I went, huh? Thinking it must have been some cached stuff, I hit refresh on the browser - VOILA! the login page comes up. Then, I try to log in - it combs out with a connection error. I tried this several times with different DB servers and each time the same...
Full .NET security development Archive